Medical IoT for diabetes and cybercrime

The medical sector is one of those special domains which particularly deserves our attention. In this talk we focus on diabetes, IoT and cybercrime.

Diabetes is a rather frequent group of disorders: it affects close to 9% of the adult population worldwide. People with diabetes typically have to prick their finger four times a day, get a drop of blood and measure their level of blood glucose. Then, they adjust their treatment (e.g. insulin) based on the results.

This "routine" is tedious, and consequently medical IoT devices that automatically measure blood glucose (i.e. without having to prick your finger) are quite welcome. Those systems are known as Continuous Glucose Monitoring systems (CGM) or Flash Glucose Monitoring (FGM) systems. Note that connected insulin pumps also exist, but perhaps because of obvious health risks, patients usually prefer to stick with connected glucose monitoring systems and inject insulin manually.

Are connected glucose monitoring systems safe in terms of security and privacy? Who would attack a random diabetic patient? What for? Are threats real or overestimated? This is the research we have conducted.

1. We analysed the security of a given FGM system. The design of the device is interesting. It communicates by NFC with the patient's smartphone. We experimented with the system, opened it and reversed it. We had expected horrors - this is unfortunately common with IoT - and were happily surprised to find a decent design. It is not perfect (nothing is), and we'll discuss a few issues ranging from privacy to obsolescence.

2. We identified a couple of diabetic-related malware. We will explain what those do, motivation for attackers and thus, what risks patients face. So far, we haven't uncovered any attempt to directly affect the health of victims, but the samples we found have side-effects on the victim's ability to deal with their diabetes, and this could be dangerous at some point.

3. Finally, we obtained information on the Dark Web. Are records of diabetic patients being traded or sold there? Are targeted attacks on given diabetic patients real or FUD? We have collected some evidence (tradings, experimental treatments) and will explain.

Axelle Apvrille

Axelle Apvrille is Principal Security Researcher at Fortinet. Specifically, she looks into mobile malware and smart devices (not always that smart...). She is a frequent speaker at Virus Bulletin, Insomni'hack and Hack.lu. She has also spoken at BlackHat Europe, SSTIC, TROOPERS, DefCamp, BlackAlps, Hacktivity and yet other conferences. She is the lead organizer of Ph0wn CTF, a Capture The Flag dedicated to smart devices. Finally, she enjoys drawing comics and 3D printing.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.